What is uefi secure boot

Overview

UEFI Secure Boot is a security standard introduced with the Unified Extensible Firmware Interface (UEFI) that prevents computers from loading unauthorized operating systems or boot software. It works by checking the digital signature of every boot component before the system allows it to execute.

How Secure Boot Works

When you power on your computer, the UEFI firmware checks each boot file against a database of trusted signing keys. If the signature matches a trusted certificate, the boot process continues. If the signature is invalid or missing, the firmware halts the boot sequence, preventing potential malware from compromising the system at the lowest level. This process occurs before the operating system even loads, making it an effective first line of defense.

Key Components

Secure Boot relies on several components working together: the UEFI firmware itself, a database of trusted keys stored in the firmware (called the Allowed Signature Database), and cryptographic certificates embedded in boot files. The system also maintains a Forbidden Signature Database that explicitly blocks known malicious code. These components create a chain of trust that extends from the firmware through the entire boot process.

Benefits and Protection

Secure Boot provides significant protection against:

• Bootkit and rootkit infections that run before the operating system
• Unauthorized firmware modifications and BIOS attacks
• Malware designed to disable security features at startup
• Unauthorized operating system installations

Disabling Secure Boot

While Secure Boot enhances security, users and administrators can disable it in UEFI settings when necessary. This might be needed for legacy software, custom kernels, or certain Linux distributions. However, disabling Secure Boot should only be done when absolutely necessary and the risks are understood. Most modern systems benefit from keeping Secure Boot enabled.